pwnable.kr - Toddler's Bottle

pwnable.kr is a wargame site which provides various pwn challenges regarding system exploitation. The main purpose of pwnable.kr is having “fun” while improving one’s hacking skills ;)

Toddler’s Bottle is a section of easy-ish challenges. This writeup contains solutions to almost all of the challenges in that section.

So partly due to lack of time and partly because I want you to think on your own, I’ll not be explaining my solutions like I do for my other Writeups. I’ll just be posting my python/bash/C scripts here with occasional explanations.

leg

mistake

Basically the fd gets set to 0 due to the operator priority i.e. we are now reading the password from stdin.

shellshock

So I have two solutions for this which are actually quite similar. I don’t know why one of them segfaults after vomiting out the flag. It’s probably due to some implementation details of the shell binary. Please let me know in the comments if you have more specific reasons of why this could be segfaulting :)

coin1

frompwnimport*# Run this script on the server for fast speed(there is a time limit)defsolve(r,N,C,start=0):mid=(N+start)/2printstart,mid,Nif(N-start)==1:r.sendline(str(start))mid+=1else:to_send=""foriinrange(start,mid):to_send+=str(i)+" "r.sendline(to_send)response=r.recvuntil("\n")weight=0printresponseif"(99)"inresponse:printr.recv()ifresponse.strip().isdigit():weight=int(response)ifweight%10==0:solve(r,N,C-1,mid)else:solve(r,mid,C-1,start)defmain():r=remote("localhost",9007)r.recvuntil("N=")while(True):r.recvuntil("N=")N=int(r.recvuntil(" "))r.recvuntil("C=")C=int(r.recvuntil("\n"))printN,Csolve(r,N,C)if__name__=='__main__':main()

blackjack

Just enter some negative number as the bet, say -999999999; then make sure you lose. Voila! You’re a millionaire ;)

lotto

a="\x08"foriinrange(0,1000):print1printa*6

Basically just keep all 6 bytes same and keep trying again and again. The probability the one of the character matches your number is pretty high. He was checking 36 things so we just need to match only 1 of the 6 characters to get match == 6.